Re: Policy capabilities: when to use and complications with using

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, May 04, 2017 at 11:50:15AM -0400, Paul Moore wrote:
> On Wed, May 3, 2017 at 12:51 PM, Dominick Grift <dac.override@xxxxxxxxx> wrote:
> > On Wed, May 03, 2017 at 12:14:16PM -0400, Stephen Smalley wrote:
> >> Part of the reason that we tend to not introduce a new policy
> >> capability more often is that it is painful to do so currently.  We
> >> have to patch libsepol to recognize the new capability and patch the
> >> policy to declare it (although for the latter we can now declare them
> >> via a CIL module without modifying the base policy).  And since the
> >> policy or module won't build without the updated libsepol, we can't
> >> turn on the capability by default in refpolicy without making it
> >> dependent on a new libsepol version.  That's why extended_socket_class
> >> isn't yet enabled in refpolicy, for example.  That causes enablement
> >> and adoption to lag behind.  It also makes it harder to test the new
> >> kernel feature in the first place.
> >
> > I would like to see Fedora package the RC's in Rawhide as well (other distributions could help by packaging the RC's in unstable as well). That would atleast make the RC's a bit more accessible.
> > In Fedora it is usually not the kernel that is the problem, it is user space that is generally to old. And as you've said policy is no longer a problem with CIL.
> 
> [NOTE: I'm still thinking about the rest of Stephen's email, and the
> follow up comments, but I wanted to reply to this particular comment
> separately.]
> 
> I'm not sure I want to see SELinux userspace release candidates in
> normal Rawhide, but I think creating a COPR repository to
> build/distribute release candidates could be a good thing.  We already
> do something similar for the kernel patches and it has been helpful in
> my opinion.

Thanks, Yes i suppose you are right. Release Candidates would probably potentially cause too much disruption even in Rawhide.
COPR should do the job, although will not be as accessible as Rawhide. It won't get the same kind of attention, but it will do for me.

> 
> https://copr.fedorainfracloud.org
> https://copr.fedorainfracloud.org/coprs/pcmoore/kernel-secnext
> 
> -- 
> paul moore
> www.paul-moore.com

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux